Auto-submit the unsubscribe confirmation form only if signature is more than 5 minutes old. Idea from https://stackoverflow.com/questions/59281750/strategies-to-prevent-email-scanners-from-activating-unsubscribe-links/59381066#59381066

hc/accounts/tests/test_unsubscribe_reports.py

@@ -1,8 +1,10 @@
 from datetime import timedelta as td
+import time
 
 from django.core import signing
 from django.utils.timezone import now
 from hc.test import BaseTestCase
+from mock import patch
 
 
 class UnsubscribeReportsTestCase(BaseTestCase):
@@ -36,3 +38,16 @@ class UnsubscribeReportsTestCase(BaseTestCase):
 
         r = self.client.get(url)
         self.assertContains(r, "Please press the button below")
+        self.assertNotContains(r, "submit()")
+
+    def test_aged_signature_autosubmits(self):
+        with patch("django.core.signing.time") as mock_time:
+            mock_time.time.return_value = time.time() - 301
+            signer = signing.TimestampSigner(salt="reports")
+            sig = signer.sign("alice")
+
+        url = "/accounts/unsubscribe_reports/%s/" % sig
+
+        r = self.client.get(url)
+        self.assertContains(r, "Please press the button below")
+        self.assertContains(r, "submit()")

hc/accounts/urls.py

@@ -16,7 +16,7 @@ urlpatterns = [
     path("profile/notifications/", views.notifications, name="hc-notifications"),
     path("close/", views.close, name="hc-close"),
     path(
-        "unsubscribe_reports/<str:username>/",
+        "unsubscribe_reports/<str:signed_username>/",
         views.unsubscribe_reports,
         name="hc-unsubscribe-reports",
     ),

hc/accounts/views.py

@@ -433,17 +433,28 @@ def change_email_done(request):
 
 
 @csrf_exempt
-def unsubscribe_reports(request, username):
+def unsubscribe_reports(request, signed_username):
+    # Some email servers open links in emails to check for malicious content.
+    # To work around this, for GET requests we serve a confirmation form.
+    # If the signature is more than 5 minutes old, we also include JS code to
+    # auto-submit the form.
+
+    ctx = {}
     signer = signing.TimestampSigner(salt="reports")
+    # First, check the signature without looking at the timestamp:
     try:
-        username = signer.unsign(username)
+        username = signer.unsign(signed_username)
     except signing.BadSignature:
         return render(request, "bad_link.html")
 
-    # Some email servers open links in emails to check for malicious content.
+    # Check if timestamp is older than 5 minutes:
-    # To work around this, we serve a form that auto-submits with JS.
+    try:
+        username = signer.unsign(signed_username, max_age=300)
+    except signing.SignatureExpired:
+        ctx["autosubmit"] = True
+
     if request.method != "POST":
-        return render(request, "accounts/unsubscribe_submit.html")
+        return render(request, "accounts/unsubscribe_submit.html", ctx)
 
     user = User.objects.get(username=username)
     profile = Profile.objects.for_user(user)

hc/api/models.py

@@ -7,6 +7,7 @@ from datetime import datetime, timedelta as td
 
 from croniter import croniter
 from django.conf import settings
+from django.core.signing import TimestampSigner
 from django.db import models
 from django.urls import reverse
 from django.utils import timezone
@@ -372,7 +373,9 @@ class Channel(models.Model):
         emails.verify_email(self.email_value, {"verify_link": verify_link})
 
     def get_unsub_link(self):
-        args = [self.code, self.make_token()]
+        signer = TimestampSigner(salt="alerts")
+        signed_token = signer.sign(self.make_token())
+        args = [self.code, signed_token]
         verify_link = reverse("hc-unsubscribe-alerts", args=args)
         return settings.SITE_ROOT + verify_link
 

hc/front/tests/test_unsubscribe_email.py

@@ -1,5 +1,8 @@
+import time
+from django.core.signing import TimestampSigner
 from hc.api.models import Channel
 from hc.test import BaseTestCase
+from mock import patch
 
 
 class UnsubscribeEmailTestCase(BaseTestCase):
@@ -9,7 +12,15 @@ class UnsubscribeEmailTestCase(BaseTestCase):
         self.channel.value = "alice@example.org"
         self.channel.save()
 
-    def test_it_works(self):
+    def test_it_serves_confirmation_form(self):
+        token = self.channel.make_token()
+        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
+
+        r = self.client.get(url)
+        self.assertContains(r, "Please press the button below")
+        self.assertNotContains(r, "submit()")
+
+    def test_post_unsubscribes(self):
         token = self.channel.make_token()
         url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
 
@@ -19,6 +30,39 @@ class UnsubscribeEmailTestCase(BaseTestCase):
         q = Channel.objects.filter(code=self.channel.code)
         self.assertEqual(q.count(), 0)
 
+    def test_fresh_signature_does_not_autosubmit(self):
+        signer = TimestampSigner(salt="alerts")
+        signed_token = signer.sign(self.channel.make_token())
+
+        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
+
+        r = self.client.get(url)
+        self.assertContains(
+            r, "Please press the button below to unsubscribe", status_code=200
+        )
+        self.assertNotContains(r, "submit()", status_code=200)
+
+    def test_aged_signature_does_autosubmit(self):
+        with patch("django.core.signing.time") as mock_time:
+            mock_time.time.return_value = time.time() - 301
+            signer = TimestampSigner(salt="alerts")
+            signed_token = signer.sign(self.channel.make_token())
+
+        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
+
+        r = self.client.get(url)
+        self.assertContains(
+            r, "Please press the button below to unsubscribe", status_code=200
+        )
+        self.assertContains(r, "submit()", status_code=200)
+
+    def test_it_checks_signature(self):
+        signed_token = self.channel.make_token() + ":bad:signature"
+        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
+
+        r = self.client.get(url)
+        self.assertContains(r, "link you just used is incorrect", status_code=200)
+
     def test_it_checks_token(self):
         url = "/integrations/%s/unsub/faketoken/" % self.channel.code
 
@@ -33,11 +77,4 @@ class UnsubscribeEmailTestCase(BaseTestCase):
         url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
 
         r = self.client.get(url)
-        self.assertEqual(r.status_code, 400)
+        self.assertEqual(r.status_code, 404)
-
-    def test_it_serves_confirmation_form(self):
-        token = self.channel.make_token()
-        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
-
-        r = self.client.get(url)
-        self.assertContains(r, "Please press the button below")

hc/front/urls.py

@@ -57,7 +57,7 @@ channel_urls = [
         "<uuid:code>/verify/<slug:token>/", views.verify_email, name="hc-verify-email"
     ),
     path(
-        "<uuid:code>/unsub/<slug:token>/",
+        "<uuid:code>/unsub/<str:signed_token>/",
         views.unsubscribe_email,
         name="hc-unsubscribe-alerts",
     ),

hc/front/views.py

@@ -702,18 +702,35 @@ def verify_email(request, code, token):
 
 
 @csrf_exempt
-def unsubscribe_email(request, code, token):
+def unsubscribe_email(request, code, signed_token):
-    channel = get_object_or_404(Channel, code=code)
+    # Some email servers open links in emails to check for malicious content.
+    # To work around this, on GET requests we serve a confirmation form.
+    # If the signature is at least 5 minutes old, we also include JS code to
+    # auto-submit the form.
+    ctx = {}
+    if ":" in signed_token:
+        signer = signing.TimestampSigner(salt="alerts")
+        # First, check the signature without looking at the timestamp:
+        try:
+            token = signer.unsign(signed_token)
+        except signing.BadSignature:
+            return render(request, "bad_link.html")
+
+        # Check if timestamp is older than 5 minutes:
+        try:
+            signer.unsign(signed_token, max_age=300)
+        except signing.SignatureExpired:
+            ctx["autosubmit"] = True
+
+    else:
+        token = signed_token
+
+    channel = get_object_or_404(Channel, code=code, kind="email")
     if channel.make_token() != token:
         return render(request, "bad_link.html")
 
-    if channel.kind != "email":
-        return HttpResponseBadRequest()
-
-    # Some email servers open links in emails to check for malicious content.
-    # To work around this, we serve a form that auto-submits with JS.
     if request.method != "POST":
-        return render(request, "accounts/unsubscribe_submit.html")
+        return render(request, "accounts/unsubscribe_submit.html", ctx)
 
     channel.delete()
     return render(request, "front/unsubscribe_success.html")

templates/accounts/unsubscribe_submit.html

@@ -12,4 +12,9 @@
         class="btn btn-lg btn-primary"
         value="Unsubscribe">
 </form>
+
+{% if autosubmit %}
+	<script>document.getElementById("form").submit();</script>
+{% endif %}
+
 {% endblock %}